<VirtualHost *:80>
  ServerName {{ name }}
{% if server_aliases %}
  ServerAlias {{ server_aliases | join(" ") }}
{% endif %}
  ServerAdmin {{ server_admin }}
  TraceEnable Off

{% if gzip %}
  SetOutputFilter DEFLATE
{% endif %}

{% if certbot %}
  ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge"
{% endif %}

{% if sslonly %}
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteCond %{REQUEST_URI} !/.well-known/acme-challenge/.*
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
{% else %}
  Include "conf.d/{{ name }}/*.conf"
{% endif %}
</VirtualHost>

{% if ssl %}
<VirtualHost *:443>
  ServerName {{ name }}
{% if server_aliases %}
  ServerAlias {{ server_aliases | join(" ") }}
{% endif %}
  ServerAdmin {{ server_admin }}

{% if gzip %}
  SetOutputFilter DEFLATE
{% endif %}

  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/{{ cert_name }}.cert
  SSLCertificateKeyFile /etc/pki/tls/private/{{ cert_name }}.key
{% if SSLCertificateChainFile %}
  SSLCertificateChainFile /etc/pki/tls/certs/{{ SSLCertificateChainFile }}
{% endif %}
  SSLHonorCipherOrder On

  # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
  # If you change the protocols or cipher suites, you should probably update
  # modules/squid/files/squid.conf-el6 too, to keep it in sync.
  SSLProtocol {{ ssl_protocols }}
  SSLCipherSuite {{ ssl_ciphers }}

{% if sslonly %}
  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
{% endif %}
  Include "conf.d/{{ name }}/*.conf"
</VirtualHost>
{% endif %}

